Managing the QUIC Protocol


Managing the QUIC Protocol

Google developed the QUIC protocol to increase the performance of HTTPS and HTTP (TCP 443 and TCP 80) connections. Chrome browsers have had experimental support for it since 2014 and it's also used in Chromium and Android devices.

QUIC connections do not require TCP handshakes. However, SSL inspection requires TCP session information. Because of this, Zscaler cannot examine QUIC sessions when users have SSL inspection enabled. When using QUIC, users might also experience certificate errors.

Zscaler best practice is to block QUIC. When it's blocked, QUIC has a failsafe to fall back to TCP. This enables SSL inspection without negatively impacting user experience.

How to Block QUIC

Choose how to block QUIC based on how you are forwarding your traffic to Zscaler.

GRE or IPSec Tunnel

If you are sending your outbound internet traffic to Zscaler through a GRE or IPSec tunnel, you can effectively block QUIC by creating a Firewall Filtering rule. This blocks QUIC UDP flows and forces the browser to default to TCP 80/443.

Z App

If you are only sending Z App traffic to Zscaler (or leveraging remote users) create a block rule on the device firewall to block UDP 80 and 443. This is typically done by an IT admin and is different for every organization.

TCP 80/443 Only

If you are only sending TCP 80/443 over a tunnel to Zscaler, block QUIC on your branch firewall.

If your firewall is not listed, refer to your manufacturer's documentation for details on how to block QUIC.

Alternative Methods

As an alternate measure, you can also block QUIC in Chrome itself.

To block QUIC with a Firewall Filtering rule:

  1. In the Zscaler Admin Portal, go to Policy > Firewall Control
  2. Click Add Firewall Filtering Rule
  3. Configure the Rule Order, Admin Rank, and Rule Name as desired. Set the Rule Status to Enabled
  4. In the Who, Where & When tab, ensure Any is selected for Users, Groups, Departments, and Locations, and Always is selected for Time
    See image.
  5. In the Services & Applications tab, select QUIC under Network Services. Leave the other fields as their default values
    See image.
  6. Select Block/Reset as the Action
    See image.
  7. Click Save and activate your changes

If you have administrator access for Google Apps, you can create a policy to block Chrome for all users. To learn more, see Google Chrome Enterprise Help. If you do not, you can still disable QUIC on individual machines. 

Whenever Chrome is updated, the settings revert to their default values and you need to disable QUIC again.

To disable QUIC on individual machines:

  1. Open Chrome
  2. In the address bar type: chrome://flags
    See image.
  3. In the search bar, type "quic"
    See image.
  4. Click the drop-down and select Disabled
    See image.
    When Default is selected, Chrome attempts to use QUIC
  5. When prompted, click Relaunch Now to restart Chrome and apply your changes
    See image.

If you are using a Fortigate firewall, you need to create a new service and then create a top-level policy to block the newly created service.

To create a service:

  1. In the Fortigate portal, go to Policy and Objects > Services
  2. Click Create new Service
  3. Complete the following:
    • Name: Enter "QUIC"
    • Protocol Type: Select TCP/UDP/SCTP
    • Destination Port: To configure the destination ports:
      1. Select UDP from the drop-down menu
      2. Enter 443 in the field marked Low
      3. Leave High blank
      4. Click the plus icon to add an additional destination port
      5. Select UDP from the drop-down menu
      6. Enter 80 in the field marked Low
      7. Leave High blank
    • Other fields should be left with their default values
  4. Click OK to save your service
    See image.

To create a policy:

  1. In the Fortigate portal, go to Policy and ObjectsIPv4 Policy
  2. Click Create New
  3. Complete the following:
    • Name: Enter a name for this policy. For example, "ServiceDeny".
    • Incoming Interface: Select Internal
    • Outgoing Interface: Select wan
    • Source: Select all
    • Destination: Select all
    • Schedule: Select always
    • Service: Select the QUIC service you created above
    • Action: Select DENY
    • Log Violation Traffic: Enable this option
    • Enable this policy: Enable this option
  4. Click OK to save your policy
    See image.

To block QUIC with a Palo Alto Networks Firewall, you need to create a new security policy.

To do this:

  1. In the Palo Alto Networks portal, go to Policies > Security
  2. Click Add
  3. In the General tab, enter a Name for the rule
    See image.
  4. In the Source tab, select the Source Zone for your rule
    See image.
  5. In the User tab, select any as the value for users
    See image.
  6. In the Destination tab, select either Untrust or your internet facing as the Destination Zone
    See image.
  7. In the Application tab:
    1. Select Add
    2. Enter "quic" in the search bar
    3. Select the quic application
      See image.
  8. In the Service/URL Category tab, leave all fields with their default value
    See image.
  9. In the Actions tab, select Drop as the action and configure other fields as desired
    See image.
  10. Click OK to save the policy
    See image.

Screenshot of the options for the Who, Where, & When tab

Screenshot showing QUIC selected as the Network Service

Screenshot showing Block/Drop as the selected action.

Screenshot of chrome://flags in the address bar

Screenshot show quic being searched for

Screenshot showing the options for the QUIC protocol

Screenshot showing prompt after you have made changes

Screenshot of the desired setting for QUIC service

Screenshot of the desired settings for the Fortigate rule

Screenshot of the General tab

Screenshot of the Source tab

Screenshot of the User tab

Screenshot of the Destination tab

Screenshot of the Application tab

Screenshot of the Service/URL Category tab

Screenshot of the Actions tab

Screenshot with the OK button highlighted